Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

To: debian-lts@lists.debian.org
Cc: Raphael Hertzog <hertzog@debian.org>
Subject: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
From: Roberto C. Sánchez <roberto@connexer.com>
Date: Tue, 29 Nov 2016 07:44:14 -0500
Message-id: <[🔎] 20161129124413.GB16992@miami.connexer.com>
Mail-followup-to: debian-lts@lists.debian.org, Raphael Hertzog <hertzog@debian.org>
In-reply-to: <[🔎] 20161129123354.vipuy7i6jpewn3jm@home.ouaza.com>
References: <[🔎] 20161128060237.GA26261@miami.connexer.com> <[🔎] 20161128071326.jhvcaoavbkjpht4a@bogon.m.sigxcpu.org> <[🔎] 20161128114407.GB26261@miami.connexer.com> <[🔎] 20161129111410.padrpl3w2lylsdrz@home.ouaza.com> <[🔎] 20161129120417.GA16992@miami.connexer.com> <[🔎] 20161129123354.vipuy7i6jpewn3jm@home.ouaza.com>

On Tue, Nov 29, 2016 at 01:33:54PM +0100, Raphael Hertzog wrote:
> On Tue, 29 Nov 2016, Roberto C. Sánchez wrote:
> > Hi Raphael,
> > 
> > On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote:
> > > Hi,
> > > 
> > > On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> > > > Quite right:
> > > > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff
> > > 
> > > Somme comments:
> > > - since we have no git history, it's nice to indicate in each patch what
> > >   CVE it fixes (I like to name the patch according to the CVE it fixes too)
> > >   here, I have to lookup the upstream ticket or commit to find out and in many
> > >   cases, it's no longer possible since the patch refers to a
> > >   trac.imagemagick.org URL which no longer exists and/or the commit does
> > >   not have the CVE number :(
> > 
> > My initial post to the list had a question about how to handle the
> > issues without a CVE ID in the DLA.  The suggestion was to annotate the
> 
> Right, but when I look at
> https://security-tracker.debian.org/tracker/source-package/imagemagick
> most of the issues have CVE numbers assigned. And while you have put
> the CVE numbers in the changelog, they are not in the patches themselves
> (and the patch name is not in the changelog either). So it's currently
> hard to map a patch back to its associated CVE.
> 
> My request is thus to include the CVE number (when applicable) in each
> patch directly, either through the filename or in the description (or
> both, which is what I usually do).
> 
OK.  I missed the part where you said "in each patch."  I can certainly
do that.

> > corresponding Debian bug numbers.  I can do the same for the changelog
> > entries, assuming that it is not a problem that all those bugs will then
> > have closure notices related to this upload.
> 
> No, it's clearly not a problem, on the contrary it will give the BTS a
> more comprehensive view of the fixed versions for each bug.
> 

I will update the changelog accordingly.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Reply to:

References:
- RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Guido Günther <agx@sigxcpu.org>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Next by Date: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Previous by thread: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Next by thread: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Index(es):
- Date
- Thread